How to set the value of an Azure KeyVault secret using curl

3
votes

I have previously used curl to retrieve secrets from my Azure KeyVault.

First I retrieve my token and get the url of my keyvault:

token=$(curl -s 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | awk -F"[{,\":}]" '{print $6}')

keyvaulturl="https://myTestKeyVault-keyvault.vault.azure.net/secrets"

I can then access my KeyVault

curl -s ${keyvaulturl}/xxx?api-version=2016-10-01 -H "Authorization: Bearer ${token}"

However this is just for getting secrets. Is there any way via curl to update them? Or is it better to use azure cli? What is the best automated form of authentication in this case?

1
azureazure-keyvault

1 Answers

3
votes

Yes, yes there is.

# Add secret
$ curl -X PUT \
    -s "https://alice.vault.azure.net/secrets/SecretFromCurl?api-version=2016-10-01" \
    -H "Authorization: Bearer ${token}" \
    --data-ascii '{"value": "sup3rs3cr37v4lu3"}' \
    -H "Content-type: application/json"

{"value":"sup3rs3cr37v4lu3","id": ...


# Read back the secret
$ curl -s "https://alice.vault.azure.net/secrets/SecretFromCurl?api-version=2016-10-01" \
    -H "Authorization: Bearer ${token}"

{"value":"sup3rs3cr37v4lu3","id": ...

Use jq to parse JSON, awk does JSON like i do yoga (with sub-optimal gracefulness) —

$ curl -s "https://alice.vault.azure.net/secrets/SecretFromCurl?api-version=2016-10-01" \
    -H "Authorization: Bearer ${token}" | jq -r ".value"

sup3rs3cr37v4lu3

However, it's a little cumbersome, using az keyvault secret ... is cleaner and more human readable, not to mention az has its own built-in JMESPath --query filter. For example:

# Login with Managed Service Identity
$ az login --identity

# Get secret value
$ az keyvault secret show --vault-name alice -n SecretFromCurl --query "value" --output tsv

sup3rs3cr37v4lu3

Just in case you needed more manual JSON exploring in your life, jpterm will NOT disappoint —

jpterm screenshot